CVE-2025-34413

Legality WHISTLEBLOWING Missing Critical HTTP Security Headers

Description

Legality WHISTLEBLOWING by DigitalPA contains a protection mechanism failure in which critical HTTP security headers are not emitted by default. Affected deployments omit Content-Security-Policy, Referrer-Policy, Permissions-Policy, Cross-Origin-Embedder-Policy, Cross-Origin-Opener-Policy, and Cross-Origin-Resource-Policy (with CSP delivered via HTML meta elements being inadequate). The absence of these headers weakens browser-side defenses and increases exposure to client-side attacks such as cross-site scripting, clickjacking, referer leakage, and cross-origin data disclosure.

INFO

Published Date :

2025-12-09T18:11:30.573Z

Last Modified :

2025-12-09T19:20:56.642Z

Source :

VulnCheck

AFFECTED PRODUCTS

The following products are affected by CVE-2025-34413 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-34413.

URL	Resource
https://seclists.org/fulldisclosure/2025/Dec/0
https://www.digitalpa.net/en/whistleblowing-software-features/
https://www.vulncheck.com/advisories/legality-whisteblowing-missing-critical-http-security-headers

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability